Passive Physical Layer Distinct Native Attribute Cyber Security Monitor

ABSTRACT

A method for cyber security monitor includes monitoring a network interface that is input-only configured to surreptitiously and covertly receive bit-level, physical layer communication between networked control and sensor field devices. During a training mode, a baseline distinct native attribute (DNA) fingerprint is generated for each networked field device. During a protection mode, a current DNA fingerprint is generated for each networked field device. The current DNA fingerprint is compared to the baseline DNA fingerprint for each networked field device. In response to detect at least one of RAA and PAA based on a change in the current DNA fingerprint to the baseline DNA fingerprint of one or more networked field devices, an alert is transmitted, via an external security engine interface to an external security engine,

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of priority under 35 U.S.C. § 119(e)to U.S. Provisional Application Ser. No. 62/856,784 entitled “PassivePhysical Layer Distinct Native Attribute Cyber Security Monitor”, filed4 Jun. 2019, the contents of which are incorporated herein by referencein their entirety.

This application claims the benefit of priority under 35 U.S.C. § 119(e)to U.S. Provisional Application Ser. No. 63/031,132 entitled “PassivePhysical Layer Distinct Native Attribute Cyber Security Monitor”, filed28 May 2020, the contents of which are incorporated herein by referencein their entirety.

ORIGIN OF THE INVENTION

The invention described herein was made by employees of the UnitedStates Government and may be manufactured and used by or for theGovernment of the United States of America for governmental purposeswithout the payment of any royalties thereon or therefore.

BACKGROUND 1. Technical Field

The present disclosure generally relates to apparatus and methods ofdetecting cyber security vulnerabilities of a wirelessly linked system.

2. Description of the Related Art

The need to establish reliable and secure communications between networkcontrol and physical (PHY) field devices remains a challenge withinvarious sensor network arenas that include industrial control systems(ICS), supervisory control and data acquisition (SCADA) systems,internet of things (IoT), and industrial IoT (IIoT) applications [Ref.1: Ron1]. Therefore, this invention addresses the problem of achievingsecure and reliable wireless communications within the ICS/SCADA and IoT(thereby including IIoT) areas. To that end, while any wireless sensornetwork contains vulnerabilities, the ICS/SCADA/IoT networks areparticularly valuable targets for attackers given they often supportcritical infrastructure (CI) elements such as water treatment, petroleumproduct distribution, medical systems, and transportation. Therefore,the need to provide security for such wireless sensor networks remains anational-level priority for both the public and private sectors [Ref. 2:DHS; Ref. 3: Eri; Ref. 4: Meh].

SUMMARY

According to one aspect of the present disclosure, a cyber-securitymonitor includes a receiver having a network interface that isinput-only configured to surreptitiously and covertly receive bit-level,physical layer communication between networked field devices. Thenetworked field devices include at least one field device controlelement and one or more field device sensors within a network. A memoryof the cyber security monitor contains one or more distinct nativeattribute (DNA) fingerprinting methods for detecting one or more ofremote access attacks (RAA) and physical access attack (PAA) of thenetworked field devices. An external security engine interface of thecyber-attack monitor is communicatively coupled for input and outputwith an external security engine. A controller of the cyber-attackmonitor is communicatively coupled to the wireless receiver, the memory,and the external security engine interface. The controller receives, viathe receiver, respective transmissions from the networked field devices.The controller generates a DNA fingerprint for each networked fielddevice using the one or more DNA fingerprint methods. The controllertransmits an alert, via the external security engine interface, to theexternal security engine indicating a detected at least one of RAA andPAA based on a change in the DNA fingerprint of one or more networkedfield devices.

According to another aspect of the present disclosure, a method forcyber security monitoring includes monitoring, by a controller, anetwork interface that is input-only configured to surreptitiously andcovertly receive bit-level, physical layer communication betweennetworked field devices. The networked field devices include at leastone field device control element and one or more field device sensors.The method includes generating a baseline DNA fingerprint for eachnetworked field device using the one or more DNA fingerprint methodsduring a training mode that identifies at least one of: (i) eachnetworked field device; and (ii) one or more operating states of eachnetworked field device. During a protection mode, the method includes:(i) generating a current DNA fingerprint for each networked fielddevice; (ii) comparing the current DNA finger to the baseline DNAfingerprint for each networked field device; and (iii) transmitting analert, via an external security engine interface to an external securityengine, in response to detect at least one of RAA and PAA based on achange in the current DNA fingerprint to the baseline DNA fingerprint ofone or more networked field devices.

According to an additional aspect of the present disclosure, acyber-attack monitored system includes networked field devicescomprising at least one field device control element and one or morefield device sensors within a network. The cyber-attack monitored systemincludes an external security engine. The cyber-attack monitored systemincludes a cyber-security monitor. A receiver of the cyber-attackmonitor has a network interface that is input-only configured tosurreptitiously and covertly receive bit-level, physical layercommunication between the networked field devices. A memory of thecyber-attack monitor contains one or more DNA fingerprinting methods fordetecting one or more of RAA and PAA of the networked field devices. Anexternal security engine interface is communicatively coupled for inputand output with the external security engine. A controller iscommunicatively coupled to the wireless receiver, the memory, and theexternal security engine interface. The controller receives, via thereceiver, respective transmissions from the at least one field devicecontrol element and the one or more field device sensors. The controllergenerates a DNA fingerprint for each networked field device using theone or more DNA fingerprint methods. The controller transmits an alert,via the external security engine interface, to the external securityengine indicating a detected at least one of RAA and PAA based on achange in the DNA fingerprint of one or more networked field devices.

Additional objects, advantages, and novel features of the invention willbe set forth in part in the description which follows, and in part willbecome apparent to those skilled in the art upon examination of thefollowing or may be learned by practice of the invention. The objectsand advantages of the invention may be realized and attained by means ofthe instrumentalities and combinations particularly pointed out in theappended claims.

BRIEF DESCRIPTION OF THE DRAWINGS

The description of the illustrative embodiments can be read inconjunction with the accompanying figures. It will be appreciated thatfor simplicity and clarity of illustration, elements illustrated in thefigures have not necessarily been drawn to scale. For example, thedimensions of some of the elements are exaggerated relative to otherelements. Embodiments incorporating teachings of the present disclosureare shown and described with respect to the figures presented herein, inwhich:

FIG. 1 illustrates a diagram of the relationship between an open systemsinterconnection (OSI) seven-layer model and a Perdue enterprisereference architecture (PERA), according to one or more embodiments;

FIG. 2A depicts a block diagram of monitoring of remote access attacks(RAA) and physical access attack (PAA) communications by arepresentative sensor network, according to one or more embodiments;

FIG. 2B depicts a functional block diagram of a DNA-based securitymonitor, according to one or more embodiments;

FIG. 2C depicts a functional block diagram of a representative RAAelement interconnection, according to one or more embodiments;

FIG. 2D depicts a functional block diagram of representative PAA fieldelements in operating spaces that may be used to orchestrate an attack,according to one or more embodiments;

FIG. 3 presents a hardware interconnection and processing control flowdiagram of a method for wireless passive monitor training andoperational protection, according to one or more embodiments; and

FIG. 4 presents a flow diagram of a method for cyber security monitoringof networked field devices, according to one or more embodiments.

DETAILED DESCRIPTION

The present innovation provides a passive physical layer distinct nativeattribute cyber security monitor, which is a passive, non-networked,non-operably connected, cyber security monitor utilizing physical (PHY)layer distinct native attribute (DNA) features to discriminate betweenfield device hardware and/or field device operating state(s) to detectthreats (unauthorized user access and/or abnormal system operation) andprovide an alert of anomalous operating conditions.

In one or more embodiments, the present disclosure provides a passive,non-networked, non-operably connected, cyber security monitor utilizingphysical (PHY) layer distinct native attribute (DNA) features todiscriminate between field device hardware and/or field device operatingstate(s) to detect threats (unauthorized user access and/or abnormalsystem operation) and provide an alert of anomalous operatingconditions.

A. PURPOSE: One purpose of the present disclosure is to detect cybersecurity threats to sensor network field devices by exploiting DNA-basedPHY layer features to perform device hardware and/or device operatingstate(s) operation discrimination. During the employment of DNA-baseddiscrimination, unlike the prior art, the invention is not a networkclient operating on the protected network (non-operably connected),thereby not exposing itself as a network element vulnerable to cyberthreats—the same threats the invention it is designed to detect. Thisinvention addresses security needs for both: (i) 1) pre-attack defenseby providing a detection capability; and (ii) post-attack cyber forensicanalysis using logged or recorded data. This invention fills a securitygap [Ref. 5: Wei1, Ref. 6: Wei2, Ref 7: Wei3] by providing threatdetection at the PHY operating layer of wireless sensor networks; thelowest Operating System Interconnect (OSI) “Physical” and PurdueEnterprise Reference Architecture (PERA) “Process” layers illustrated inFIG. 1 [Ref. 1: Ron1]. In addition, the protection provided by thisinvention inherently provides support for post-attack forensics byestablishing the PHY (“lowest-layer”) elements in a cross-layer cyberforensic security concept [Ref. 8: Ron2].

As noted in [Ref. 5: Wei1, Ref. 6: Wei2, Ref. 7: Wei3, Ref. 1: Ron1]there is a near-total absence of PHY-based security for wireless sensornetworks, and therefore there are no legacy methods used prior to thisinvention. Though existing systems have not been implemented that relyexclusively on PHY-based security, there are techniques that exploit PHYlayer information; a summary of which is provided in Section 4 of [Ref.8: Ron2]. More generally, the existing techniques and systems arepredominantly designed to address cyber security for wireless sensorsnetworks by focusing on high-layer information [Ref. 8: Ron2]. Examplesinclude network traffic analysis and packet sniffing in the higher OSILayer 2-Layer 7 and PERA Layer 2-Layer 5 processes illustrated inFIG. 1. These high-layer techniques, which are realized in a variety ofdifferent applications, operate within the same network they aredesigned to protect. For these high-layer techniques, within networkoperation is both a requirement (to enable data collection and providereal-time threat detection) and an accepted vulnerability. The PHY-basedinvention here distinguishes itself from the class of high-layertechniques in two ways in that (1) it utilizes the lowest-layerinformation which may not be collected or is either discarded ordisregarded when collected, and (2) it represents a passive,non-networked, non-operably connected, wireless security capability thatis not susceptible to cyber physical access attack (PAA) methodsrequiring hardware access or remote access attacks (RAA) occurringthrough operably connected network elements.

FIG. 1 depicts a diagram of the relationship between the open systemsinterconnection (OSI) seven-layer model [Ref. 9: Joh] and the Perdueenterprise reference architecture (PERA) [Ref. 10: Did] showing thehigh-layer, lowest-layer, and cross-layer information domains on theright side [Ref. 8: Ron2] within the cross-layer security engineoperating space.

Perhaps of greatest relation to the restrictive PHY-based discussion isthe “MSi Platform” that has been developed by Mission Secure, Inc, [Ref.11: Msi1] and which is believed to be the basis for the inventiondescribed in U.S. Pat. No. 9,697,355 [Ref. 12: Msi2]. As detailed in[Ref. 11: Msi1], the platform includes an “MSi Sentinel” element whichis shown to interconnect/interact with PERA Layer 0 and Layer 2 elementsshown in FIG. 1. Thus, this present disclosure and the MSi Sentinel mayhave some commonality in using PHY layer information, although the typeand nature of exploited PHY information and how it is used differs.However, there appears to be major implementation differences betweenproducts related to [Ref. 12: Msi2] and the invention here which areperhaps best expressed in considering 1) the use(s) of passive andnon-operable connections to the protected sensor network, as in thisinvention, versus 2) the extensive use of operatively/operably coupledin [Ref. 12: Msi2]. Most appropriately, the use of “passive(ly)” onlygenerally appears one time in [Ref. 12: Msi2] while the use of“operatively/operably coupled” specifically appears 14 times in [Ref.12: Msi2] when addressing the use of the 101 security device(s). In thiscontext, the use of “operatively/operably coupled” is best interpretedas meaning the 101 security device(s) is itself a networked devicewithin the wireless sensor network to be protected. Thus, the 101security device(s) have digital identities (ID) that are as externally“visible” as all other networked devices and subject to the samebit-level cyberattacks they are being emplaced to protect against. Thisdiffers considerably from the passive invention here that isnon-operably connected (non-networked) and which remains largelyundetectable and unexploitable by the bit-level cyberattacks it isdesigned to protect against. Moreover, this invention realizes a newdistinct level of protection from prior art in that when operatingamidst a compromised network, the alerts generated by the monitor remainunbeknownst (invisible) to the attacker. Thus, the attacker remainsengaged and real-time investigative attribution (identification andassessment of attack responsibility [Ref. 13: ODNI]) activity cancontinue.

B. DETAILED DESCRIPTION: The detailed description of essential inventiondetails and characteristics are presented in the following subsections:B.1 DNA Fingerprinting; B.2 System Functional Operation; and B.3Operational Modes and optional operating States.

B.1. DNA Fingerprinting:

The present disclosure provides a passive, non-networked, non-operablyconnected, wireless security solution providing a PHY-based securityaugmentation for IoT, IIoT, ICS/SCADA, and other wireless sensorapplications. Primary protection is provided through Distinct NativeAttribute (DNA) fingerprinting methods that have been developed anddemonstrated in support of providing both pre-attack system defense andpost-attack forensic analysis. Use of the term “distinct nativeattribute” (DNA) is consistent with [Ref. 14: Cob] and embodies thecoloration of signal responses that is induced by the intrinsic physicalattributes of the device producing the signal. Fingerprinting methodssupported by the invention include Radio Frequency DNA (RF-DNA) [Ref.15: Rei, Ref. 16: Tal], Wired Signal DNA (WS-DNA) [Ref. 17: Lop] andConstellation Based DNA (CB-DNA) [Ref. 1: Ron1] processes that representthe historical timeline of related DNA discoveries and demonstrations.All methods presented here are utilized by the invention.

RF-DNA work in [Ref. 15: Rei] introduced a Time Domain (TD) deviceidentification (ID) verification process that enables reliable detectionof rogue device activity that includes unauthorized hardware devicesattempting to gain network access to a protected network by presentingfalse bit-level credentials for an authorized network device(s).Demonstrations in [Ref. 15: Rei] include networks comprised ofauthorized Wi-Fi and WiMAX communication devices, with TD RF-DNAfingerprints input to Multiple Discriminant Analysis (MDA) and LearningVector Quantization (LVQ) classification processes to assess roguehardware detection capability. For the most challenginglike-manufacturer, like-model attacking rogue device cases, resultsinclude 90% to 100% correct serial number level discrimination ofauthorized and rogue hardware devices.

RF-DNA work in [Ref. 16: Tal] adopted the TD fingerprinting and MDAprocesses of [Ref. 15: Rei] and expanded demonstrations to includeSlope-Based Frequency Shift Keying (SB-FSK) fingerprint features. Roguedetection assessments in [Ref. 16: Tal] were conducted for an authorizednetwork of Insteon IoT home automation devices, with attacking roguedevices including both 1) the most challenging case usinglike-manufacturer, like-model Insteon devices, and 2) the leastchallenging case using dissimilar-manufacturer YARD Stick One softwaredefined radio (SDR) devices—this SDR choice was motivated by relatedInsteon cyberattack demonstrations that resulted in unprotected (noRF-DNA discrimination) wireless Insteon devices being errantlycontrolled by a rogue device. The attacking rogue devices were digitallyprogrammed to present false bit-level IDs for authorized Insteon devicesand an attack deemed successful if the rogue device could functionallycontrol the unprotected targeted end point device. SB-FSK features weresuperior to TD features, with the most challenging case resultsincluding better than 95% rogue detection and 100% rogue detectionachieved for the less challenging SDR attacks.

WS-DNA work in [Ref. 17: Lop] adopted TD fingerprinting methods from[Ref. 15: Rei] and SB-FSK fingerprinting methods from [Ref. 16: Tal] toextend PHY-based DNA fingerprinting development and demonstration usingfield device Wired Signal DNA (WS-DNA) features. The WS-DNA featureswere extracted from Highway Addressable Remote Transducer (HART) signalsused in ICS/SCADA applications and the MDA processing augmented with aRandom Forest (RndF) classifier to identify the most relevantfingerprint features required to achieve a given level ofdiscriminability. The demonstrations in [Ref. 17: Lop] includeassessments related to both cyber PAA (rogue hardware device detection)and RAA (abnormal operation detection) activity. These were accomplishedusing two hardware devices from each of three manufacturers (6 totaldevices), with each device operating (actual versus reported) at one oftwo distinct set points. Considering 10 PAA and 12 RAA assessments, theaverage rogue/anomalous detection approximately 93% using dimensionallyreduced RndF fingerprints containing only 15% of the features requiredfor marginally-better MDA performance.

CB-DNA work in [Ref. 1: Ron1] extended PHY-based security augmentationassessments by introducing CB-DNA features to discriminate 802.15.4Wireless Personal Area Network (WPAN) compliant signals. Thedemonstration in [Ref. 1: Ron1] was based on the ZigBee protocol whichis commonly used in ICS applications and has direct applicability toWirelessHART process applications. Results in [Ref. 1: Ron1] are basedon 120 unique networks comprised of seven authorized like-model ZigBeedevices from a given manufacturer, with 3 additional non-network devicesserving as attacking rogue devices. Collectively, a total of 2520 roguedetection assessments were conducted using the MDA verification processfrom [Ref. 16: Tal] and an average cumulative rogue detection rate of94% demonstrated.

The present innovation is capable of utilizing any of the noted DNAfeatures in support pre-attack defense and post-attack forensicobjectives. The specific method used is envisioned to be tailored to thespecific application, signal type, required response time, availablecomputation resources, etc.

B.2. SYSTEM FUNCTIONAL OPERATION: FIGS. 2A-2D depict functional blockdiagrams of implementation of a DNA-based security monitor showinginteractions between network elements, RAA/PAA operating domains, andillustrating invention's interfaces, internal decision logic andprocesses, and connection types for the a given collection option (wiredor wireless). In particular, FIG. 2A depicts a block diagram 200 a ofmonitoring of RAA and PAA communications by a representative sensornetwork. FIG. 2B depicts a functional block diagram 200 b of a DNA-basedsecurity monitor. FIG. 2C depicts a functional block diagram 200 b of arepresentative RAA element interconnection. FIG. 2D depicts a functionalblock diagram 200 b of representative PAA field elements in operatingspaces that may be used to orchestrate an attack. FIG. 2A explicitlydepicts segregation of RAA and PAA operating space elements, with thePAA space including the protected field devices and protected fielddevice operations. As indicated in FIG. 2B, the present innovationoperates in a passive, receive-only mode and is either: (i) physicallyconnected and senses/monitors wired signal activity; and/or (ii) notphysically connected and senses/monitors wireless signal activity. Tomaintain a level of monitoring covertness (monitor presence notdetectable by an external entity), care must be taken when establishingphysical wired connectivity to ensure normal network operation is notaltered. Such an implementation would not be consistent with the conceptof operations for this innovation.

FIG. 2B depicts the interfaces and functional block diagram for theDNA-based monitor. As indicated, there are two main monitor interfaces,including 1) the Wired/Wireless Interface used for extracting the fielddevice signals of interest, and 2) the External Security EngineInterface that enables external programming, (e.g., by the Cross-LayerSecurity Engine in FIG. 1, such that desired protection is achieved byproper selection of post-collection parameters, DNA type, alertcriteria, alert actions, etc.). Computational requirements and requiredflexibility may be accomplished using a platform hosting a FieldProgrammable Gate Array (FPGA), or similarly capable device. Asestablished and influenced through the External Security EngineInterface, the roles and operation of monitor functional elements inFIG. 2B are adaptable and include the following:

(1) Wired/Wireless Interface (Input-Only): Provides the wired and/orwireless connectivity to selected RAA and PAA space elements andextracts responses of interest. The wired/wireless interface isnon-operably connected in either configuration, i.e., it is not anelement of nor does not interact with the sensor network beingprotected. The type of connectivity (wired or wireless) is based uponsensor network architecture and externally determined upon installationof the invention in the selected operating space(s). For other productssuch as the aforementioned MSi Sentinel, the security device is operablyconnected to the sensor network and has bidirectional interaction (i.e.,transmits to and receives from) with other networked devices using theimplemented bit-level transmission control protocol/internet transferprotocol (TCP/IP) connectivity.

(2) External Security Engine Interface (Input-Output): Provides (a) maincomputation and processing control input for monitor configuration andoperations(s), and (b) accepts the final monitor Alert Decision fortaking network protection action(s). This interface may be providedthrough the Cross-Layer Security Engine such as illustrated in FIG. 1.Prior art suggests that the sole mechanism for providing this output isthrough the protected network communications, thus increasing thevulnerability of prior art monitors. Conversely, the output of thisinvention provides a novel approach whereby an Alert Decision issupplied directly to the operator(s) via alternate back channelcommunications without utilizing the protected network communications.

(3) Internal Process Control: Computational requirements and therequired computational flexibility are accomplished using a platformhosting a Field Programmable Gate Array (FPGA), or similarly capabledata processing device. The controllable core monitor functions in FIG.2B include:

(3a) Post-Collection Processing: Collected wired/wireless signalresponses are processed to detect (temporally locate and extract)instantaneous time samples within the specific region of interest (ROI)used for DNA fingerprint generation. In the case of wireless signalresponses, this may include pre-detection processing such as frequencydown-conversion, baseband filtering, and other processes commonly usedto improve signal-to-noise ratio (SNR). The collected ROI responses mayalso be stored, archived, etc., to assist in post-attack forensicanalysis.

(3b) DNA Fingerprint Generation: Selected DNA features as in [Ref. 15:Rei, Ref. 16: Tal, Ref. 17. Lop, Ref. 1: Ron1] are generated fromdetected ROI responses and DNA fingerprints formed to characterizecurrent transmitting field device hardware and/or operating state. Asevident by the broad range of demonstrations in [Ref. 15: Rei, Ref. 16:Tal, Ref. 17. Lop, Ref. 1: Ron1], the DNA fingerprinting framework issufficiently flexible and modular to accommodate future DNA discoveryand

(3c) Alert Decision: The current received DNA fingerprints are generatedin the operational protect mode and compared with fingerprints generatedduring an operational training mode where the monitor learned DNAfeatures for the protected field device while operating under confirmednormal operating conditions. A current protect vs. previously trainedfingerprint verification assessment is performed and an anomalous (e.g.,rogue field device transmitting false bit-level credentials or theauthorized field device transmitting errant state information)declaration is made if anomalous condition criteria are satisfied.Anomalous detection results in an action response (e.g., warning) toinform the protected system to take protective action(s) (disconnectfrom network, turn-on alternate security measures, etc.). The inventionhere differs from prior art in that the Alert Decision is transmitted tothe user via back channel communications versus through the protectednetwork communication channel, thus preserving the monitor's isolationand preventing attackers from being able to detect monitor presence andthe issuing of an alert. Details for monitor training and protectionmodes are provided in the following section.

B.3 Operating Modes

(1) Training Mode: Upon introducing the present innovation into a givenenvironment to be protected, the monitor training mode will be initiatedwhereby the monitor is able to learn “normal” conditions and train thediscrimination process by collecting signals, generating selected DNAfeatures, and forming device or operation dependent fingerprints(protected field device wired/wireless signals reflect valid bit-levelcredentials and valid operating state).

(2) Protection Mode: Following training and learning of “normal”operating conditions, the invention is placed into protection mode andnormal (trained fingerprint) vs. anomalous (current fingerprint)discrimination of field device hardware or field device state arecontinuously performed. The DNA-based discrimination process supportsboth Remote Access Attack (RAA) and Physical Access Attack (PAA)detection, summarized as follows:

(2a) A field device RAA is a bit-level attack whereby some RAA elementin FIG. 2C, with some or all RAA space elements interconnected via anEthernet or other LAN connection, influences the main Local interfacedevice (e.g., PLC) to errantly command the field device to an errant,potentially catastrophic state. As indicted in FIG. 2C, the DNA-basedmonitor observes (wired or wirelessly) activity from the field devicecontrol element (e.g., the PLC as illustrated) and thus knows how thefield device is being commanded (e.g., increase coolant flow). Themonitor subsequently sees sensor activity (wired or wirelessly) from thefield device to the PLC and thus knows the state being reported back tothe PLC (e.g., temperature is increasing). Assuming there is nocoordinated PAA attack underway (details in the following paragraph),the current state sensed by the DNA-based monitor is correct and thesensor state value is increasing. For this example, if the bit-level RAAis sufficiently robust to mask/alter the sensor state value being actedupon by the PLC to anything other than increasing, it is very possiblethat the PLC will errantly respond (e.g., decrease coolant flow) and acatastrophic event (e.g., overheating) could occur. However, theDNA-based monitor is able to determine that an inappropriateaction-response has occurred and issue an alert.

(2b) A field device PAA is a physical-level attack whereby the attackerhas gained access to elements in the PAA space indicted in FIG. 2D.While the term attack is used here to indicate malicious intent, ananomaly could also be the result of accidental or natural causes wherebythe devices pictured in FIG. 2D [Ref. 18: Nak]. Attacks may target thehardware, firmware, or the operating state (i.e., disrupt instrumentcalibration) of the process, sensor, or adapter. Such attacks in the PAAinclude but are not limited to device tampering, hardware trojan,credential stealing, evil twin attack, or eavesdropping [Ref. 19: Pan].In either case, the DNA-based monitor observes (wired or wirelessly)field device sensor and physical process activity. Protection isrealized by detecting i) field device hardware changes occurring fromdegradation/alteration of an authorized device, introduction of anunauthorized device, etc., and ii) field device operating state changesoccurring from accidental, malicious, etc., software/firmware changes.

C. Manner and Process of Making the Invention

The invention capabilities in FIG. 2B may be achieved using commerciallyavailable hardware and software. The invention is described in detail inSection B.2, and thus is not repeated here. No specialized equipment ormanufacturing is required for the process or completion of thisinvention. The following sections reiterate the pertinent requirementsfor provisioning hardware and software for the invention.

C.1 HARDWARE: FIG. 3 illustrates the monitor hardware interconnectionand processing control configuration. Referring now to FIG. 3 101 as thehardened physical enclosure for the invention. The hardeningspecifications are dependent on the environment where monitoring is tobe performed. The invention in 101 is controlled via the FPGA at 104.Section B.2 (3) indicates that the invention is accomplished using aplatform hosting an FPGA, or similarly capable data processing device.FPGAs are commercially available along with required accessory elementssuch as wires, cables, or antennas. The exact FPGA specifications aredetermined by the application, the signal of interest, and theoperational environment to include the channel effects. Queries andsettings indicated at 120 and 130 are requested and processed at 104 viathe external security engine interface illustrated at 114 and connectedto devices external to the invention illustrated at 201. The receivednetwork signals used for monitor train and protect modes are input tothe invention via 102, illustrated as an antenna. The output from 102 isconnected via 111 to the SDR at 103. The processed SDR signals for theprotected network are transmitted via 112 to the FPGA-based systemcontroller at 104 where the DNA Fingerprints are generated. Theoperational modes of the invention are illustrated in 130 starting witha query for the DNA Fingerprinting type at 131 and mode selection at132—either 133 train mode or 134 protect mode. The operations andinterfaces noted in FIG. 2B are performed at 104. For some embodiments,data storage at 105 can be included in, or provided external to, theenclosure at 101 via the controller interface at 113. The monitor alertdecision is generated at 104 and transmitted via the non-networked,non-operably coupled back channel communication interface 114 toexternal system elements illustrated at 201.

C.2 SOFTWARE: There is no requirement for software or programminglanguage for the interactions depicted in FIG. 2B. DNA fingerprintingmay be executed using any language that is capable of performing thefunctions required for the DNA methods described in Ref. 15: Rei, Ref.16: Tal, Ref. 17. Lop, Ref. 1: Ron1. All four (4) references utilizedMATLAB from MathWorks to demonstrate the capability for the DNAfingerprinting method. Other experimentation has successfullydemonstrated DNA fingerprinting implementation in C++ and Python.

D. ALTERNATIVES: There is one primary Level-0/Level-1 PHY-basedalternative to the present disclosure that is networked and operablycoupled to the protected network, the “MSi Sentinel” discussed inSection A. In short, the MSi Sentinel provides a means to interfacebetween and monitor Level-0 and Level-1 device activity, which is afunction that this invention also performs. As detained in Section A,the primary difference between the MSi Sentinel and this invention isthat a) the MSi Sentinel monitoring devices are “operably coupled” (havenetwork IDs and become part of the sensor network) to the system beingprotected and thus vulnerable to cyberattack like all other networkeddevices, whereas 2) the proposed PHY-based DNA monitor is not networked,nor operably connected as a network device, and is therefore is notexternally detectable or attackable as a network element.

The previous sections articulated the ability to tailor this inventionto the output to the user's specifications without significantlychanging the core functionality of the invention. Features that couldaccept substitution are noted in Section B.2 (3) and include but are notlimited to: utilizing different DNA features and fingerprinting methods,utilizing different control and processing hardware other than an FPGA,or adding collected response storage capacity to support post-attackforensic analysis.

Substitutions in materials, features, or steps that would significantlydetract from the invention include: (1) Exclusion of DNA-basedfingerprinting: This would eliminate the distinct experimentation andprior work leading to the invention as well as a core component to thediscrimination that the invention is meant to perform. Substitutions inmaterials, features, or steps that would significantly detract from theinvention include: (2) operably connecting this invention to theprotected network: This would eliminate the non-networked, non-operablycoupled protection benefits of this invention. With such an alteration,the invention would become a networked element on the protected networkand would be vulnerable to attack and/or detection by an externalattacker. These non-networked, non-operably coupled characteristics arefundamental to the nature of this invention.

FIG. 4 presents a flow diagram of a method 400 for cyber securitymonitoring that avoids detection by a malevolent actor who seeks to do aRAA or PAA. Method 400 can be performed using the devices and methodsdescribed above for FIGS. 1, 2A-2D, and 3. In one or more embodiments,the method 400 includes monitoring, by a controller, a network interfacethat is input-only configured to surreptitiously and covertly receivebit-level, physical layer communication between networked field devicescomprising at least one field device control element and one or morefield device sensors (block 402). Method 400 includes generating abaseline distinct native attribute (DNA) fingerprint for each networkedfield device using the one or more DNA fingerprint methods during atraining mode that identifies at least one of: (i) each networked fielddevice; and (ii) one or more operating states of each networked fielddevice (block 404). Method 400 includes, during a protection mode,generating a current DNA fingerprint for each networked field device(block 406). Method 400 includes comparing the current DNA finger to thebaseline DNA fingerprint for each networked field device (block 408).Method 400 includes transmitting an alert, via an external securityengine interface to an external security engine, in response to detectat least one of a remote access attack (RAA) and a physical accessattack (PAA) based on a change in the current DNA fingerprint to thebaseline DNA fingerprint of one or more networked field devices (block410). Then method 400 ends.

In one or more embodiments, the receiver comprises one or more of awireless receiver and a wired receiver. In one or more embodiments, theDNA fingerprinting method comprises radio frequency DNA (RF-DNA) thatutilizes time domain (TD) device identification verification process. Inone or more embodiments, the DNA fingerprinting method comprises radiofrequency DNA (RF-DNA) that utilizes slope-based frequency shift keying(SB-FSK) process. In one or more embodiments, the DNA fingerprintingmethod comprises wired signal DNA (WS-DNA) fingerprinting method. In oneor more embodiments, the DNA fingerprinting method comprisesconstellation based (CB-DNA) fingerprinting method to discriminatewireless personal access network (WPAN) compliant signals.

In one or more embodiments, during the training mode, method 400includes associating a normal cause-and-effect relationship between thefield device control element and the one or more field device sensorscomprising: (i) a change in at least one of magnitude and direction ofprocess parameter by the field device control element; and (ii) achanged sensed value from the one or more field device sensors thatcorresponds to the change of the process parameter. During theprotection mode, method 400 includes detecting that a change in a sensedvalue from the one or more field device sensors does not correspond tothe change of the processor parameter that indicates RAA. In one or moreembodiments, method 400 includes generating the alert in response todetecting one of the current DNA fingerprints that is not one of the DNAfingerprints of the networked field devices identified during thetraining mode indicating a PAA.

SUMMARY: This innovation was described using the basic design created bythe inventors. This is also substantiated by the published works [Ref.15: Rei, Ref. 16: Tal, Ref. 17. Lop, Ref. 1: Ron1], experimentation, andcurrent prototyping performed at the Air Force Institute of Technology(AFIT).

E. INNOVATION CHART: In one or more embodiments, the following claimchart in TABLE 1 summarizes and specifies the information in thepreceding sections.

TABLE 1 Aspect Aspect Elements Evidence Notes 1. A passive, FIG. 2A,Section A, This element is also a characteristic Section B.2 of thecomparable device from the MSi patent [Ref. 12: Msi2], however, incombination with the following elements differentiates it from any priorart non-networked, FIG. 2B, Section A, Section D further details theSection B.2 criticality of this claim element to the invention.non-operably FIG. 2B, Section A, Section D further details theconnected, Section B.2 criticality of this claim element to theinvention. cyber security “External security engine The use of the termmonitor ties the monitor interface” in FIG. 2A system description andfeatures to and FIG. 2B. the use of the invention. The detaileddescription in Section B.2 2. utilizing physical Section B.1 Section Dfurther details the (PHY) distinct “DNA Fingerprint criticality of thisclaim element to native attribute Generation” in FIG. 2B the invention.(DNA) features to discriminate Demonstrations of the Discrimination istailored to either between field techniques are detect field devicehardware or device hardware summarized in this operating state; eitheror both and/or field document and are aspects can be output to thedevice operating detailed in [Ref. 15: Rei, external security engineinterface as state(s) Ref. 16: Tal, Ref. 17. described in Section B.2 anSection Lop, Ref. 1: Ron1] B.3 3. to detect threats Demonstrations ofthreat Threat detection is occurring when (unauthorized detection alongwith the invention is in Protection Mode user access and/or documentedresults are as described in Section B.3. abnormal system summarized inthis operation) document and are primarily detailed in [Ref. 16: Tal] aswell as in [Ref. 15: Rei, Ref. 17: Lop, Ref. 1: Ron1] and provide an“External security engine This element is the utilization of the alertof interface” in FIG. 2A threat detection from Aspect 2 and anomalousand FIG. 2B the element that enables the operating The detaileddescription monitoring from Aspect 1. The conditions. in Section B.2(Interface results presented in [Ref. 15: Rei, and the Alert DecisionRef. 16: Tal, Ref. 17. Lop, Ref. 1: subsections) Ron1] demonstrate theinnovations ability to provide such an alert using the discriminationfrom Aspect 2.

REFERENCES

The following references cited above are hereby incorporated byreference in their entirety:

-   [Ref. 1: Ron1] C. M. Rondeau, J. A. Betances and M. A. Temple,    “Securing ZigBee Commercial Communications Using CB-DNA    Fingerprinting,” Jour of Security and Communication Networks, Wiley,    Vol. 2018, Article ID 1489347, July 2018.-   [Ref. 2: DHS] Homeland Security, “Recommended Practice: Improving    Industrial Control Systems Cybersecurity with Defense-In-Depth    Strategies,” ICS-CERT, pp. 1-56, https://ics-cert.us-cert.gov.    September 2016.-   [Ref. 3: Eri] B. Erinle, “Cyber Security for National Defense,” The    Military Engineer, Vol. 105, No. 685, October 2013.-   [Ref. 4: Meh] A. Mehta, “Could an Air Conditioner Take Down a    Military Base? The Pentagon is Worried”, Fifth Domain, November    2017.-   [Ref. 5: Wei1] J. Weiss. “Cyber security issues with level 0 through    1 devices.” Video of paper being presented at the DEFCON 25, Las    Vegas, Nev. Retrieved from    https://www.youtube.com/watch?v=UgvVaniZhsk. 2017.-   [Ref. 6: Wei2] J. Weiss, “Cyber security of sensors are not being    addressed and vulnerabilities are not correlated to system impacts.”    Control—Unfettered Blog. Retrieved from    https://www.controlglobal.com/blogs/unfettered. 2018.-   [Ref. 7: Wei3] J. Weiss and J. Lopez, “The gap in ICS cyber security    and safety—Level 0, 1 devices,” Paper presented at the 2018 ISA    Power Industry Division (POWID) Conference, Knoxville, Tenn. 2018.-   [Ref. 8: Ron2] C. M. Rondeau, M. A. Temple and J. Lopez, “Industrial    IoT cross-layer forensic investigation,” Wiley Interdisciplinary    Reviews: Forensic Science, 1(1), e1322.    https://doi.org/10.1002/wfs2_1322. November 2018.-   [Ref. 9: Joh] P. Johnson, “An OSI model for cloud.” Cisco Blogs.    Retrieved from https://blogs.cisco.com/cloud/an-osi-model-for-cloud.    2017.-   [Ref. 10: Did] P. Didier, et al., “Converged Plantwide Ethernet    (CPwE) Design and Implementation Guide,” CISCO Design Guide., pg    564, 2011.-   [Ref. 11: Msi1] Mission Secure Inc., “Products,” from    https://www.missionsecure.com/solutions/products.-   [Ref. 12: Msi2] Mission Secure Inc., “Cyber Security for Physical    Systems,” U.S. Pat. No. 9,694,355. July 2017.-   [Ref 13: ODNI] ODNI, “A Guide to Cyber Attribution,” Office of the    Director of National Intelligence, 14 Sep. 2018 from    https://www.dni.gov/files/CTIIC/documents/ODNI    A_Guide_to_Cyber_Attribution.pdf.-   [Ref. 14: Cob] W. Cobb, M. A. Temple, R. O. Baldwin, E. W. Garcia,    and E. D. Laspe, Intrinsic Physical Layer Authentication of    Integrated Circuits, U.S. Pat. No. 9,036,891, May 2015.-   [Ref. 15: Rei] D. R. Reising, M. A. Temple and J. A. Jackson,    “Authorized and Rogue Device Discrimination Using Dimensionally    Reduced RF-DNA Fingerprints,” IEEE Trans on Information Forensics    and Security, 10(6), 1180-1192, June 2015.-   [Ref. 16: Tal] C. M. Talbot, M. A. Temple, T. J. Carbino, and J. A.    Betances, “Detecting Rogue Attacks on Commercial Wireless Insteon    Home Automation Systems,” Jour of Computers and Security, Special    Issue (Internet and Cloud of Things), 296-307. October 2017.-   [Ref. 17: Lop] J. Lopez, N. C. Liefer, C. R. Busho, M. A. Temple,    “Enhancing Critical Infrastructure and Key Resources (CIKR) Level-0    Physical Process Security Using Field Device Distinct Native    Attribute Features,” IEEE Trans on Info Forensics & Security, Vol.    13, No. 5, pp. 1215-1229, May 2018.-   [Ref. 18: Nak] E. T. Nakamura and S. L. Ribeiro, “A privacy,    security, safety, resilience and reliability focused risk assessment    methodology for IIoT systems steps to build and use secure IIoT    systems,” 2018 Glob. Internet Things Summit, GIoTS 2018, 2018.-   [Ref. 19: Pan] A. C. Panchal, V. M. Khadse, and P. N. Mahalle,    “Security Issues in IIoT: A Comprehensive Survey of Attacks on IIoT    and Its Countermeasures,” 2018 IEEE Glob. Conf. Wirel. Comput.    Netw., pp. 124-130, 2018.

While the disclosure has been described with reference to exemplaryembodiments, it will be understood by those skilled in the art thatvarious changes may be made and equivalents may be substituted forelements thereof without departing from the scope of the disclosure. Inaddition, many modifications may be made to adapt a particular system,device or component thereof to the teachings of the disclosure withoutdeparting from the essential scope thereof. Therefore, it is intendedthat the disclosure not be limited to the particular embodimentsdisclosed for carrying out this disclosure, but that the disclosure willinclude all embodiments falling within the scope of the appended claims.Moreover, the use of the terms first, second, etc. do not denote anyorder or importance, but rather the terms first, second, etc. are usedto distinguish one element from another.

In the preceding detailed description of exemplary embodiments of thedisclosure, specific exemplary embodiments in which the disclosure maybe practiced are described in sufficient detail to enable those skilledin the art to practice the disclosed embodiments. For example, specificdetails such as specific method orders, structures, elements, andconnections have been presented herein. However, it is to be understoodthat the specific details presented need not be utilized to practiceembodiments of the present disclosure. It is also to be understood thatother embodiments may be utilized and that logical, architectural,programmatic, mechanical, electrical and other changes may be madewithout departing from general scope of the disclosure. The followingdetailed description is, therefore, not to be taken in a limiting sense,and the scope of the present disclosure is defined by the appendedclaims and equivalents thereof.

References within the specification to “one embodiment,” “anembodiment,” “embodiments”, or “one or more embodiments” are intended toindicate that a particular feature, structure, or characteristicdescribed in connection with the embodiment is included in at least oneembodiment of the present disclosure. The appearance of such phrases invarious places within the specification are not necessarily allreferring to the same embodiment, nor are separate or alternativeembodiments mutually exclusive of other embodiments. Further, variousfeatures are described which may be exhibited by some embodiments andnot by others. Similarly, various requirements are described which maybe requirements for some embodiments but not other embodiments.

It is understood that the use of specific component, device and/orparameter names and/or corresponding acronyms thereof, such as those ofthe executing utility, logic, and/or firmware described herein, are forexample only and not meant to imply any limitations on the describedembodiments. The embodiments may thus be described with differentnomenclature and/or terminology utilized to describe the components,devices, parameters, methods and/or functions herein, withoutlimitation. References to any specific protocol or proprietary name indescribing one or more elements, features or concepts of the embodimentsare provided solely as examples of one implementation, and suchreferences do not limit the extension of the claimed embodiments toembodiments in which different element, feature, protocol, or conceptnames are utilized. Thus, each term utilized herein is to be given itsbroadest interpretation given the context in which that terms isutilized.

The terminology used herein is for the purpose of describing particularembodiments only and is not intended to be limiting of the disclosure.As used herein, the singular forms “a”, “an” and “the” are intended toinclude the plural forms as well, unless the context clearly indicatesotherwise. It will be further understood that the terms “comprises”and/or “comprising,” when used in this specification, specify thepresence of stated features, integers, steps, operations, elements,and/or components, but do not preclude the presence or addition of oneor more other features, integers, steps, operations, elements,components, and/or groups thereof.

The description of the present disclosure has been presented forpurposes of illustration and description, but is not intended to beexhaustive or limited to the disclosure in the form disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope of the disclosure. Thedescribed embodiments were chosen and described in order to best explainthe principles of the disclosure and the practical application, and toenable others of ordinary skill in the art to understand the disclosurefor various embodiments with various modifications as are suited to theparticular use contemplated.

What is claimed is:
 1. A cyber security monitor comprising: a receiverhaving a network interface that is input-only configured tosurreptitiously and covertly receive bit-level, physical layercommunication between networked field devices comprising at least onefield device control element and one or more field device sensors withina network; a memory containing one or more distinct native attribute(DNA) fingerprinting methods for detecting one or more of remote accessattacks (RAA) and physical access attack (PAA) of the networked fielddevices; an external security engine interface communicatively coupledfor input and output with an external security engine; a controller thatis communicatively coupled to the wireless receiver, the memory, and theexternal security engine interface, and which: receives, via thereceiver, respective transmissions from the networked field devices;generates a DNA fingerprint for each networked field device using theone or more DNA fingerprint methods; and transmits an alert, via theexternal security engine interface, to the external security engineindicating a detected at least one of RAA and PAA based on a change inthe DNA fingerprint of one or more networked field devices.
 2. The cybersecurity monitor of claim 1, wherein the receiver comprises a wirelessreceiver.
 3. The cyber security monitor of claim 1, wherein the receivercomprises a wired receiver.
 4. The cyber security monitor of claim 1,wherein the DNA fingerprinting method comprises radio frequency DNA(RF-DNA) that utilizes time domain (TD) device identificationverification process.
 5. The cyber security monitor of claim 1, whereinthe DNA fingerprinting method comprises radio frequency DNA (RF-DNA)that utilizes slope-based frequency shift keying (SB-FSK) process. 6.The cyber security monitor of claim 1, wherein the DNA fingerprintingmethod comprises wired signal DNA (WS-DNA) fingerprinting method.
 7. Thecyber security monitor of claim 1, wherein the DNA fingerprinting methodcomprises constellation based (CB-DNA) fingerprinting method todiscriminate wireless personal access network (WPAN) compliant signals.8. The cyber security monitor of claim 1, wherein the controller: DNAfingerprints the networked field devices in a training mode in responseto a command from the external security monitor engine; and compares theDNA fingerprints obtained during the training mode with current DNAfingerprints for the networked field devices in a protection mode inresponse to a command from the external security monitor engine.
 9. Thecyber security monitor of claim 8, wherein the controller: during thetraining mode, associates a normal cause-and-effect relationship betweenthe field device control element and the one or more field devicesensors comprising: (i) a change in at least one of magnitude anddirection of process parameter by the field device control element; and(ii) a changed sensed value from the one or more field device sensorsthat corresponds to the change of the process parameter; and during theprotection mode, detects that a change in a sensed value from the one ormore field device sensors does not correspond to the change of theprocessor parameter that indicates RAA.
 10. The cyber security monitorof claim 8, wherein the controller, during the protection mode:determines current DNA fingerprints for one or more networked fielddevices communicating via the network; compares the current DNAfingerprints with DNA fingerprints of the networked field devicesidentified during the training mode; and generates the alert in responseto detecting one of the current DNA fingerprints that is not one of theDNA fingerprints of the networked field devices identified during thetraining mode indicating a PAA.
 11. A method for cyber-securitymonitoring, the method comprising: monitoring, by a controller, anetwork interface that is input-only configured to surreptitiously andcovertly receive bit-level, physical layer communication betweennetworked field devices comprising at least one field device controlelement and one or more field device sensors; generating a baselinedistinct native attribute (DNA) fingerprint for each networked fielddevice using the one or more DNA fingerprint methods during a trainingmode that identifies at least one of: (i) each networked field device;and (ii) one or more operating states of each networked field device;and during a protection mode: generating a current DNA fingerprint foreach networked field device; comparing the current DNA finger to thebaseline DNA fingerprint for each networked field device; andtransmitting an alert, via an external security engine interface to anexternal security engine, in response to detect at least one of a remoteaccess attack (RAA) and a physical access attack (PAA) based on a changein the current DNA fingerprint to the baseline DNA fingerprint of one ormore networked field devices.
 12. The method of claim 11, wherein thereceiver comprises one or more of a wireless receiver and a wiredreceiver.
 13. The method of claim 11, wherein the DNA fingerprintingmethod comprises radio frequency DNA (RF-DNA) that utilizes time domain(TD) device identification verification process.
 14. The method of claim11, wherein the DNA fingerprinting method comprises radio frequency DNA(RF-DNA) that utilizes slope-based frequency shift keying (SB-FSK)process.
 15. The method of claim 11, wherein the DNA fingerprintingmethod comprises wired signal DNA (WS-DNA) fingerprinting method. 16.The method of claim 11, wherein the DNA fingerprinting method comprisesconstellation based (CB-DNA) fingerprinting method to discriminatewireless personal access network (WPAN) compliant signals.
 17. Themethod of claim 11, further comprising: during the training mode,associating a normal cause-and-effect relationship between the fielddevice control element and the one or more field device sensorscomprising: (i) a change in at least one of magnitude and direction ofprocess parameter by the field device control element; and (ii) achanged sensed value from the one or more field device sensors thatcorresponds to the change of the process parameter; and during theprotection mode, detecting that a change in a sensed value from the oneor more field device sensors does not correspond to the change of theprocessor parameter that indicates RAA.
 18. The method of claim 11,generating the alert in response to detecting one of the current DNAfingerprints that is not one of the DNA fingerprints of the networkedfield devices identified during the training mode indicating a PAA. 19.A cyber-attack monitored system comprising: networked field devicescomprising at least one field device control element and one or morefield device sensors within a network; an external security engine; anda cyber security monitor comprising: a receiver having a networkinterface that is input-only configured to surreptitiously and covertlyreceive bit-level, physical layer communication between the networkedfield devices; a memory containing one or more distinct native attribute(DNA) fingerprinting methods for detecting one or more of a remoteaccess attack (RAA) and physical access attack (PAA) of the networkedfield devices; an external security engine interface communicativelycoupled for input and output with the external security engine; acontroller that is communicatively coupled to the wireless receiver, thememory, and the external security engine interface, and which: receives,via the receiver, respective transmissions from the at least one fielddevice control element and the one or more field device sensors;generates a DNA fingerprint for each networked field device using theone or more DNA fingerprint methods; and transmits an alert, via theexternal security engine interface, to the external security engineindicating a detected at least one of RAA and PAA based on a change inthe DNA fingerprint of one or more networked field devices.